Comment 5 for bug 1576353

I think I'm OK with adding a low-priority debconf question to disable password authentication. That's a much lower-maintenance solution from my point of view than the various things that have been proposed in the past for disabling the service entirely. The packaged default would be true (i.e. enable password auth), but the server image could preseed it to false.

Regarding socket activation, I'd like to draw your attention to this section from openssh-server's README.Debian file. The bit about MaxStartups explains why I'm unwilling to make this the default on servers:

Per-connection sshd instances with systemd
------------------------------------------

If you want to reconfigure systemd to listen on port 22 itself and launch an
instance of sshd for each connection (inetd-style socket activation), then
you can run:

  systemctl stop ssh.service
  systemctl start ssh.socket

To make this permanent:

  systemctl disable ssh.service
  systemctl enable ssh.socket

This may be appropriate in environments where minimal footprint is critical
(e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's
MaxConnections cannot quite replace this as it cannot distinguish between
authenticated and unauthenticated connections; see
https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion.

The provided ssh.socket unit file sets ListenStream=22. If you need to have
it listen on a different address or port, then you will need to do this by
copying /lib/systemd/system/ssh.socket to /etc/systemd/system/ssh.socket and
modifying the ListenStream option. See systemd.socket(5) for details.